Tricking BuildKit into Removing Host Files
CVE-2024-23652
9.1CRITICAL
What is CVE-2024-23652?
A vulnerability exists in BuildKit, a toolkit for converting source code into build artifacts. This security flaw arises when a maliciously crafted BuildKit frontend or Dockerfile using the RUN --mount feature is executed, leading to potential unauthorized removal of files from the host system rather than just the container. Versions of BuildKit prior to v0.12.5 are impacted by this issue. Developers are advised to avoid using BuildKit frontends sourced from untrusted origins and to exercise caution when building Dockerfiles that utilize the RUN --mount directive. The issue has been addressed in BuildKit version 0.12.5.
Affected Version(s)
buildkit < 0.12.5